How to fix CVE-2026-40192?

Q: How to fix CVE-2026-40192?

Within 24 hours: Inventory all systems running Pillow versions 10.3.0-12.1.x (check requirements.txt, package manifests, and dependency trees). Within 7 days: Upgrade Pillow to version 12.2.0 or later across development, staging, and production environments; verify through dependency scanning tools. Within 30 days: Implement input validation and size limits on GZIP decompression in any legacy code paths that cannot be immediately updated, and conduct regression testing on image processing workflows.

CVE-2026-40192

HIGH

2026-04-13 https://github.com/python-pillow/Pillow

GHSA-whj4-6x5x-4v2j

Denial Of Service

8.7

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 15, 2026 - 23:22 vuln.today

cvss_changed

CVSS Changed

Apr 15, 2026 - 23:22 NVD

8.7 (HIGH)

Analysis Generated

Apr 15, 2026 - 12:34 vuln.today

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

359 pypi packages depend on pillow (298 direct, 67 indirect)

Ecosystem-wide dependent count for version 10.3.0.

DescriptionNVD

Impact

Pillow did not limit the amount of GZIP-compressed data read when decoding a FITS image, making it vulnerable to decompression bomb attacks. A specially crafted FITS file could cause unbounded memory consumption, leading to denial of service (OOM crash or severe performance degradation).

Patches

The amount of data read is now limited to the necessary amount. Fixed in Pillow 12.2.0 (PR #9521).

Workarounds

Avoid Pillow >= 10.3.0, < 12.2.0 Only open specific image formats, excluding FITS.

AnalysisAI

Unbounded GZIP decompression in Pillow's FITS image parser enables remote denial-of-service via crafted image files. Pillow versions 10.3.0 through 12.1.x process FITS images without limiting decompression output, allowing attackers to trigger out-of-memory crashes or severe performance degradation through maliciously compressed images. …

RemediationAI

Within 24 hours: Inventory all systems running Pillow versions 10.3.0-12.1.x (check requirements.txt, package manifests, and dependency trees). Within 7 days: Upgrade Pillow to version 12.2.0 or later across development, staging, and production environments; verify through dependency scanning tools. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-40192 vulnerability details – vuln.today

Back

CVE-2026-40192

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

Impact

Patches

Workarounds

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

CVE-2026-40192

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

Impact

Patches

Workarounds

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code